discordrat | 292f3a442b476c28afc3249f743025dec25bf27d8b17fe77a981eecf0855de13

Analysis

max time kernel
125s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 17:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

roblox-player.exe
Size

78KB
MD5

1e45a9dde0fa43462d3132a6409d6bd3
SHA1

9da3717811e4fbd3f5a8a34f5e6a7ed18e20b22a
SHA256

292f3a442b476c28afc3249f743025dec25bf27d8b17fe77a981eecf0855de13
SHA512

7ad3b6b5cfb79ac02f8c026026ca442f82ee9fec3cf619b32d72ad8ae406a797364b84e4dffaea54f48d3abe3c81b7e109e998330cb734912431e1e666718c4a
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+jPIC:5Zv5PDwbjNrmAE+7IC

Score

10^/10

discordrat persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5ODIzNjEyMDA3MzM3MTc1OA.G8u0Ka.A4SAtH9lkH8LkHGGBTIXVQMB7VUu6Xrbs9X1kk
server_id
1237627992709009478

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1688 created 604	1688	roblox-player.exe	5

Downloads MZ/PE file
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs

Web Service

T1102

flow	ioc
56	discord.com
57	discord.com
58	discord.com
67	raw.githubusercontent.com
73	discord.com
81	raw.githubusercontent.com
6	discord.com
72	raw.githubusercontent.com
92	discord.com
5	discord.com
70	discord.com
74	discord.com
17	discord.com
66	discord.com
68	raw.githubusercontent.com
69	discord.com
86	discord.com
65	discord.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$77roblox-player.exe	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 4660	1688	roblox-player.exe	103

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
212	SCHTASKS.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46c0a203-8681-42bf = 04e363d5c8a3da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79bf507c-6a4a-4b1a = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7df2a37d-a896-4868	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7df2a37d-a896-4868 = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48e15548-48c6-40d9 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e0ff29e2-1100-488d = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3461a3cd-9e16-4764	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3461a3cd-9e16-4764	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79bf507c-6a4a-4b1a = c31b71d5c8a3da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79bf507c-6a4a-4b1a = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48e15548-48c6-40d9	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48e15548-48c6-40d9 = 69b734d6c8a3da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e0ff29e2-1100-488d = 789b51d6c8a3da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3461a3cd-9e16-4764 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac686e88-914b-4dba = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac686e88-914b-4dba	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac686e88-914b-4dba = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000000531c7d5c8a3da01a8b62dd6c8a3da01a8b62dd6c8a3da0161d705000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab58bb8b2000326130306232376231616439666634393965363939363439623265356539623433636630613733633763396437643030303138363231613166333565636132310000b20009000400efbeab58bb8bab58bb8b2e0000000000000000000000000000000000000000000000000097239b00320061003000300062003200370062003100610064003900660066003400390039006500360039003900360034003900620032006500350065003900620034003300630066003000610037003300630037006300390064003700640030003000300031003800360032003100610031006600330035006500630061003200310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ce20539c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32613030623237623161643966663439396536393936343962326535653962343363663061373363376339643764303030313836323161316633356563613231000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079636c657874616c000000000000000032c7bda1b4a83542a64d5b3e076d55943803a425d303ef11b826f2de30e5511532c7bda1b4a83542a64d5b3e076d55943803a425d303ef11b826f2de30e55115d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003500370031003300310036003600350036002d0033003600360035003200350037003700320035002d0032003400310035003500330031003800310032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000073c7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63276efd-213e-4deb = 8d2a66d5c8a3da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79bf507c-6a4a-4b1a	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7df2a37d-a896-4868 = d4a77cd5c8a3da01	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48e15548-48c6-40d9 = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3461a3cd-9e16-4764 = "\\\\?\\Volume{B97E3C07-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3da27f9df8b329414ae27ed9c91d21ba4766e1aa6be54fb4d4c538375e537851"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63276efd-213e-4deb	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48e15548-48c6-40d9	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac686e88-914b-4dba	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46c0a203-8681-42bf	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79bf507c-6a4a-4b1a = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000697165d5c8a3da01697165d5c8a3da01697165d5c8a3da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab58bb8b2000326130306232376231616439666634393965363939363439623265356539623433636630613733633763396437643030303138363231613166333565636132310000b20009000400efbeab58bb8bab58bb8b2e0000000000000000000000000000000000000000000000000097239b00320061003000300062003200370062003100610064003900660066003400390039006500360039003900360034003900620032006500350065003900620034003300630066003000610037003300630037006300390064003700640030003000300031003800360032003100610031006600330035006500630061003200310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ce20539c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c32613030623237623161643966663439396536393936343962326535653962343363663061373363376339643764303030313836323161316633356563613231000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079636c657874616c000000000000000032c7bda1b4a83542a64d5b3e076d55943203a425d303ef11b826f2de30e5511532c7bda1b4a83542a64d5b3e076d55943203a425d303ef11b826f2de30e55115d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003500370031003300310036003600350036002d0033003600360035003200350037003700320035002d0032003400310035003500330031003800310032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000073c7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac686e88-914b-4dba = f0f37ed6c8a3da01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79bf507c-6a4a-4b1a	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7df2a37d-a896-4868 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000d55c71d5c8a3da01d55c71d5c8a3da01d55c71d5c8a3da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab58bb8b2000336461323766396466386233323934313461653237656439633931643231626134373636653161613662653534666234643463353338333735653533373835310000b20009000400efbeab58bb8bab58bb8b2e000000000000000000000000000000000000000000000000002b388f00330064006100320037006600390064006600380062003300320039003400310034006100650032003700650064003900630039003100640032003100620061003400370036003600650031006100610036006200650035003400660062003400640034006300350033003800330037003500650035003300370038003500310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ce20539c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33646132376639646638623332393431346165323765643963393164323162613437363665316161366265353466623464346335333833373565353337383531000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079636c657874616c000000000000000032c7bda1b4a83542a64d5b3e076d55943303a425d303ef11b826f2de30e5511532c7bda1b4a83542a64d5b3e076d55943303a425d303ef11b826f2de30e55115d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003500370031003300310036003600350036002d0033003600360035003200350037003700320035002d0032003400310035003500330031003800310032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000073c7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48e15548-48c6-40d9 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000007a94aad5c8a3da014a570cd6c8a3da014a570cd6c8a3da013c9f07000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab58bb8b2000336638626533383861366535643561636431366261623834643030306236323634326530656435316432633831613863366633643433363865613035323530660000b20009000400efbeab58bb8bab58bb8b2e00000000000000000000000000000000000000000000000000b5e99f00330066003800620065003300380038006100360065003500640035006100630064003100360062006100620038003400640030003000300062003600320036003400320065003000650064003500310064003200630038003100610038006300360066003300640034003300360038006500610030003500320035003000660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ce20539c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33663862653338386136653564356163643136626162383464303030623632363432653065643531643263383161386336663364343336386561303532353066000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079636c657874616c000000000000000032c7bda1b4a83542a64d5b3e076d55943503a425d303ef11b826f2de30e5511532c7bda1b4a83542a64d5b3e076d55943503a425d303ef11b826f2de30e55115d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003500370031003300310036003600350036002d0033003600360035003200350037003700320035002d0032003400310035003500330031003800310032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000073c7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac686e88-914b-4dba = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46c0a203-8681-42bf = "\\\\?\\Volume{B97E3C07-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3f8be388a6e5d5acd16bab84d000b62642e0ed51d2c81a8c6f3d4368ea05250f"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e0ff29e2-1100-488d = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46c0a203-8681-42bf	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63276efd-213e-4deb = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63276efd-213e-4deb = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000001c1163d5c8a3da011c1163d5c8a3da011c1163d5c8a3da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab58bb8b2000656463323332626334383463653234626636323137393339383337666336636266303338393261643964666631306433633666653863626163393331623961360000b20009000400efbeab58bb8bab58bb8b2e00000000000000000000000000000000000000000000000000e4839d00650064006300320033003200620063003400380034006300650032003400620066003600320031003700390033003900380033003700660063003600630062006600300033003800390032006100640039006400660066003100300064003300630036006600650038006300620061006300390033003100620039006100360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ce20539c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c65646332333262633438346365323462663632313739333938333766633663626630333839326164396466663130643363366665386362616339333162396136000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079636c657874616c000000000000000032c7bda1b4a83542a64d5b3e076d55943103a425d303ef11b826f2de30e5511532c7bda1b4a83542a64d5b3e076d55943103a425d303ef11b826f2de30e55115d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003500370031003300310036003600350036002d0033003600360035003200350037003700320035002d0032003400310035003500330031003800310032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000073c7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7df2a37d-a896-4868	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7df2a37d-a896-4868 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e0ff29e2-1100-488d = "\\\\?\\Volume{B97E3C07-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\edc232bc484ce24bf6217939837fc6cbf03892ad9dff10d3c6fe8cbac931b9a6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac686e88-914b-4dba = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\ac686e88-914b-4dba = "\\\\?\\Volume{B97E3C07-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2a00b27b1ad9ff499e699649b2e5e9b43cf0a73c7c9d7d00018621a1f35eca21"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46c0a203-8681-42bf = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000004bab60d5c8a3da014bab60d5c8a3da014bab60d5c8a3da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab58bb8b2000336638626533383861366535643561636431366261623834643030306236323634326530656435316432633831613863366633643433363865613035323530660000b20009000400efbeab58bb8bab58bb8b2e00000000000000000000000000000000000000000000000000b5e99f00330066003800620065003300380038006100360065003500640035006100630064003100360062006100620038003400640030003000300062003600320036003400320065003000650064003500310064003200630038003100610038006300360066003300640034003300360038006500610030003500320035003000660000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ce20539c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33663862653338386136653564356163643136626162383464303030623632363432653065643531643263383161386336663364343336386561303532353066000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079636c657874616c000000000000000032c7bda1b4a83542a64d5b3e076d55943003a425d303ef11b826f2de30e5511532c7bda1b4a83542a64d5b3e076d55943003a425d303ef11b826f2de30e55115d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003500370031003300310036003600350036002d0033003600360035003200350037003700320035002d0032003400310035003500330031003800310032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000073c7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63276efd-213e-4deb	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63276efd-213e-4deb = "\\\\?\\Volume{B97E3C07-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\edc232bc484ce24bf6217939837fc6cbf03892ad9dff10d3c6fe8cbac931b9a6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79bf507c-6a4a-4b1a = "\\\\?\\Volume{B97E3C07-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\2a00b27b1ad9ff499e699649b2e5e9b43cf0a73c7c9d7d00018621a1f35eca21"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46c0a203-8681-42bf = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63276efd-213e-4deb	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48e15548-48c6-40d9 = "\\\\?\\Volume{B97E3C07-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\3f8be388a6e5d5acd16bab84d000b62642e0ed51d2c81a8c6f3d4368ea05250f"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3461a3cd-9e16-4764 = 57d76bd6c8a3da01	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\3461a3cd-9e16-4764 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000eabbb1d5c8a3da01fff228d6c8a3da01fff228d6c8a3da01731507000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000ab58bb8b2000336461323766396466386233323934313461653237656439633931643231626134373636653161613662653534666234643463353338333735653533373835310000b20009000400efbeab58bb8bab58bb8b2e000000000000000000000000000000000000000000000000002b388f00330064006100320037006600390064006600380062003300320039003400310034006100650032003700650064003900630039003100640032003100620061003400370036003600650031006100610036006200650035003400660062003400640034006300350033003800330037003500650035003300370038003500310000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ce20539c1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c33646132376639646638623332393431346165323765643963393164323162613437363665316161366265353466623464346335333833373565353337383531000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000079636c657874616c000000000000000032c7bda1b4a83542a64d5b3e076d55943703a425d303ef11b826f2de30e5511532c7bda1b4a83542a64d5b3e076d55943703a425d303ef11b826f2de30e55115d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003500370031003300310036003600350036002d0033003600360035003200350037003700320035002d0032003400310035003500330031003800310032002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000073c7eb9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\48e15548-48c6-40d9 = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e0ff29e2-1100-488d	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79bf507c-6a4a-4b1a	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46c0a203-8681-42bf = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\46c0a203-8681-42bf = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63276efd-213e-4deb = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\63276efd-213e-4deb = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79bf507c-6a4a-4b1a = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\7df2a37d-a896-4868 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e0ff29e2-1100-488d	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\e0ff29e2-1100-488d = "8324"	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	roblox-player.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
1688	roblox-player.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
1688	roblox-player.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
1688	roblox-player.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
1688	roblox-player.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
1688	roblox-player.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe
4660	dllhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	roblox-player.exe
Token: 33	4904	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4904	AUDIODG.EXE
Token: SeDebugPrivilege	1688	roblox-player.exe
Token: SeDebugPrivilege	4660	dllhost.exe
Token: SeShutdownPrivilege	1688	roblox-player.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3444	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 4660	1688	roblox-player.exe	103
PID 1688 wrote to memory of 4660	1688	roblox-player.exe	103
PID 1688 wrote to memory of 4660	1688	roblox-player.exe	103
PID 1688 wrote to memory of 4660	1688	roblox-player.exe	103
PID 1688 wrote to memory of 4660	1688	roblox-player.exe	103
PID 1688 wrote to memory of 4660	1688	roblox-player.exe	103
PID 1688 wrote to memory of 4660	1688	roblox-player.exe	103
PID 1688 wrote to memory of 4660	1688	roblox-player.exe	103
PID 1688 wrote to memory of 4660	1688	roblox-player.exe	103
PID 1688 wrote to memory of 4660	1688	roblox-player.exe	103
PID 1688 wrote to memory of 4660	1688	roblox-player.exe	103
PID 4660 wrote to memory of 604	4660	dllhost.exe	5
PID 4660 wrote to memory of 672	4660	dllhost.exe	7
PID 4660 wrote to memory of 948	4660	dllhost.exe	12
PID 4660 wrote to memory of 1016	4660	dllhost.exe	13
PID 4660 wrote to memory of 392	4660	dllhost.exe	14
PID 4660 wrote to memory of 916	4660	dllhost.exe	15
PID 4660 wrote to memory of 1088	4660	dllhost.exe	17
PID 4660 wrote to memory of 1112	4660	dllhost.exe	18
PID 4660 wrote to memory of 1164	4660	dllhost.exe	19
PID 4660 wrote to memory of 1232	4660	dllhost.exe	20
PID 4660 wrote to memory of 1256	4660	dllhost.exe	21
PID 4660 wrote to memory of 1296	4660	dllhost.exe	22
PID 4660 wrote to memory of 1332	4660	dllhost.exe	23
PID 4660 wrote to memory of 1380	4660	dllhost.exe	24
PID 4660 wrote to memory of 1440	4660	dllhost.exe	25
PID 4660 wrote to memory of 1588	4660	dllhost.exe	26
PID 4660 wrote to memory of 1596	4660	dllhost.exe	27
PID 4660 wrote to memory of 1612	4660	dllhost.exe	28
PID 4660 wrote to memory of 1712	4660	dllhost.exe	29
PID 4660 wrote to memory of 1744	4660	dllhost.exe	30
PID 4660 wrote to memory of 1768	4660	dllhost.exe	31
PID 4660 wrote to memory of 1816	4660	dllhost.exe	32
PID 4660 wrote to memory of 1868	4660	dllhost.exe	33
PID 4660 wrote to memory of 1876	4660	dllhost.exe	34
PID 4660 wrote to memory of 1964	4660	dllhost.exe	35
PID 4660 wrote to memory of 2040	4660	dllhost.exe	36
PID 4660 wrote to memory of 1800	4660	dllhost.exe	37
PID 4660 wrote to memory of 2136	4660	dllhost.exe	39
PID 4660 wrote to memory of 2220	4660	dllhost.exe	40
PID 4660 wrote to memory of 2304	4660	dllhost.exe	41
PID 4660 wrote to memory of 2424	4660	dllhost.exe	42
PID 4660 wrote to memory of 2432	4660	dllhost.exe	43
PID 4660 wrote to memory of 2592	4660	dllhost.exe	44
PID 4660 wrote to memory of 2600	4660	dllhost.exe	45
PID 4660 wrote to memory of 2648	4660	dllhost.exe	46
PID 4660 wrote to memory of 2680	4660	dllhost.exe	47
PID 4660 wrote to memory of 2696	4660	dllhost.exe	48
PID 4660 wrote to memory of 2712	4660	dllhost.exe	49
PID 4660 wrote to memory of 2720	4660	dllhost.exe	50
PID 4660 wrote to memory of 2884	4660	dllhost.exe	51
PID 4660 wrote to memory of 3068	4660	dllhost.exe	52
PID 4660 wrote to memory of 2448	4660	dllhost.exe	53
PID 4660 wrote to memory of 3352	4660	dllhost.exe	55
PID 4660 wrote to memory of 3444	4660	dllhost.exe	56
PID 4660 wrote to memory of 3556	4660	dllhost.exe	57
PID 4660 wrote to memory of 3768	4660	dllhost.exe	58
PID 4660 wrote to memory of 3960	4660	dllhost.exe	60
PID 4660 wrote to memory of 4004	4660	dllhost.exe	62
PID 4660 wrote to memory of 4868	4660	dllhost.exe	65
PID 4660 wrote to memory of 4556	4660	dllhost.exe	66
PID 4660 wrote to memory of 2320	4660	dllhost.exe	67
PID 4660 wrote to memory of 3872	4660	dllhost.exe	68
PID 4660 wrote to memory of 1172	4660	dllhost.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1016
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9b50c5c2-edfe-49f2-bca9-c36d2e679864}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4660

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1164
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1380
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x308 0x4a0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2040

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2648

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2720

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3444
- C:\Users\Admin\AppData\Local\Temp\roblox-player.exe
  "C:\Users\Admin\AppData\Local\Temp\roblox-player.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "$77roblox-player.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\roblox-player.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:212
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3960

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4004

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1172

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4840

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4668

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2096

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4892

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4236

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-292-0x00000254C4C90000-0x00000254C4CBA000-memory.dmp

Filesize
168KB

Download
memory/392-50-0x00007FFD4CEF0000-0x00007FFD4CF00000-memory.dmp

Filesize
64KB

Download
memory/392-49-0x00000254C4C90000-0x00000254C4CBA000-memory.dmp

Filesize
168KB

Download
memory/604-36-0x00007FFD4CEF0000-0x00007FFD4CF00000-memory.dmp

Filesize
64KB

Download
memory/604-43-0x00000209DF480000-0x00000209DF4AA000-memory.dmp

Filesize
168KB

Download
memory/604-35-0x00000209DF480000-0x00000209DF4AA000-memory.dmp

Filesize
168KB

Download
memory/604-28-0x00000209DF450000-0x00000209DF473000-memory.dmp

Filesize
140KB

Download
memory/672-30-0x000001C5DAFB0000-0x000001C5DAFDA000-memory.dmp

Filesize
168KB

Download
memory/672-31-0x00007FFD4CEF0000-0x00007FFD4CF00000-memory.dmp

Filesize
64KB

Download
memory/672-41-0x000001C5DAFB0000-0x000001C5DAFDA000-memory.dmp

Filesize
168KB

Download
memory/672-42-0x00007FFD8CF0D000-0x00007FFD8CF0E000-memory.dmp

Filesize
4KB

Download
memory/916-53-0x0000022BAEDB0000-0x0000022BAEDDA000-memory.dmp

Filesize
168KB

Download
memory/916-293-0x0000022BAEDB0000-0x0000022BAEDDA000-memory.dmp

Filesize
168KB

Download
memory/916-54-0x00007FFD4CEF0000-0x00007FFD4CF00000-memory.dmp

Filesize
64KB

Download
memory/948-45-0x00000267AE5D0000-0x00000267AE5FA000-memory.dmp

Filesize
168KB

Download
memory/948-291-0x00007FFD8CF0C000-0x00007FFD8CF0D000-memory.dmp

Filesize
4KB

Download
memory/948-290-0x00000267AE5D0000-0x00000267AE5FA000-memory.dmp

Filesize
168KB

Download
memory/948-46-0x00007FFD4CEF0000-0x00007FFD4CF00000-memory.dmp

Filesize
64KB

Download
memory/1016-38-0x0000022830E40000-0x0000022830E6A000-memory.dmp

Filesize
168KB

Download
memory/1016-44-0x0000022830E40000-0x0000022830E6A000-memory.dmp

Filesize
168KB

Download
memory/1016-39-0x00007FFD4CEF0000-0x00007FFD4CF00000-memory.dmp

Filesize
64KB

Download
memory/1088-60-0x00000216D1140000-0x00000216D116A000-memory.dmp

Filesize
168KB

Download
memory/1088-61-0x00007FFD4CEF0000-0x00007FFD4CF00000-memory.dmp

Filesize
64KB

Download
memory/1112-64-0x00007FFD4CEF0000-0x00007FFD4CF00000-memory.dmp

Filesize
64KB

Download
memory/1112-63-0x000001CD831B0000-0x000001CD831DA000-memory.dmp

Filesize
168KB

Download
memory/1164-67-0x00007FFD4CEF0000-0x00007FFD4CF00000-memory.dmp

Filesize
64KB

Download
memory/1164-66-0x00000281DD490000-0x00000281DD4BA000-memory.dmp

Filesize
168KB

Download
memory/1232-70-0x00007FFD4CEF0000-0x00007FFD4CF00000-memory.dmp

Filesize
64KB

Download
memory/1232-69-0x00000212F2000000-0x00000212F202A000-memory.dmp

Filesize
168KB

Download
memory/1256-74-0x00007FFD4CEF0000-0x00007FFD4CF00000-memory.dmp

Filesize
64KB

Download
memory/1256-73-0x0000021D9D340000-0x0000021D9D36A000-memory.dmp

Filesize
168KB

Download
memory/1296-84-0x0000024BB5380000-0x0000024BB53AA000-memory.dmp

Filesize
168KB

Download
memory/1296-85-0x00007FFD4CEF0000-0x00007FFD4CF00000-memory.dmp

Filesize
64KB

Download
memory/1688-11-0x00007FFD6EE60000-0x00007FFD6F921000-memory.dmp

Filesize
10.8MB

Download
memory/1688-7-0x00000250470E0000-0x000002504718A000-memory.dmp

Filesize
680KB

Download
memory/1688-1-0x00007FFD6EE63000-0x00007FFD6EE65000-memory.dmp

Filesize
8KB

Download
memory/1688-2-0x0000025046D20000-0x0000025046EE2000-memory.dmp

Filesize
1.8MB

Download
memory/1688-18-0x00007FFD8CE70000-0x00007FFD8D065000-memory.dmp

Filesize
2.0MB

Download
memory/1688-3-0x00007FFD6EE60000-0x00007FFD6F921000-memory.dmp

Filesize
10.8MB

Download
memory/1688-4-0x0000025047560000-0x0000025047A88000-memory.dmp

Filesize
5.2MB

Download
memory/1688-5-0x00007FFD6EE63000-0x00007FFD6EE65000-memory.dmp

Filesize
8KB

Download
memory/1688-19-0x00007FFD8CD70000-0x00007FFD8CE2E000-memory.dmp

Filesize
760KB

Download
memory/1688-17-0x00000250472C0000-0x00000250472FE000-memory.dmp

Filesize
248KB

Download
memory/1688-16-0x00000250470B0000-0x00000250470CE000-memory.dmp

Filesize
120KB

Download
memory/1688-15-0x0000025047070000-0x0000025047082000-memory.dmp

Filesize
72KB

Download
memory/1688-14-0x00000250474E0000-0x0000025047556000-memory.dmp

Filesize
472KB

Download
memory/1688-13-0x00007FFD6EE60000-0x00007FFD6F921000-memory.dmp

Filesize
10.8MB

Download
memory/1688-12-0x000002502E620000-0x000002502E62E000-memory.dmp

Filesize
56KB

Download
memory/1688-0-0x000002502C760000-0x000002502C778000-memory.dmp

Filesize
96KB

Download
memory/1688-6-0x00007FFD6EE60000-0x00007FFD6F921000-memory.dmp

Filesize
10.8MB

Download
memory/4660-23-0x00007FFD8CE70000-0x00007FFD8D065000-memory.dmp

Filesize
2.0MB

Download
memory/4660-20-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4660-22-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4660-21-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4660-25-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4660-24-0x00007FFD8CD70000-0x00007FFD8CE2E000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads